20
JNCIE-SEC v1.3 workbook (2017) Demo workbook

JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

  • Upload
    others

  • View
    55

  • Download
    1

Embed Size (px)

Citation preview

Page 1: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

JNCIE-SEC v1.3 workbook (2017) Demo workbook

Page 2: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Why this demo workbook?

This workbook is intended to give you an idea of what the

purched workbook looks like, and the way the original workbook

teaches you the curriculum.

Due to this, we hope you will understand that

some content will be covered.

If you have any questions, please don’t hesitate to contact me.

Jörg Buesink

[email protected]

Owner iNET ZERO

Page 3: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

About meAlexei lives in Moscow and speaks Russian and English. He started his car-

rier in telecommunication area in 1995 as a technician in S.W.I.F.T. Access

Point. Since that time he gained experience as a field, technical support and

systems engineer, project manager, technical writer and instructor. He had

taken part in many projects for corporate clients and service providers, par-

ticipated in the creation of networks based on X.25, Frame Relay, ATM, PDH/

SDH, TCP/IP and VoIP technologies, learned and implemented solutions from

Motorola, Nortel Networks, Tellabs and Acme Packet.

Since 2006 Alexei has been working with Juniper Networks technologies and

products, focusing primarily on security solutions. Alexei becomes energized

and determined to stimulate people to move, grow and develop to higher

levels of personal effectiveness. Alexei holds the following certification: JN-

CIE-SEC#113, JNCIP-M/T, JNCIS-FW, JNCIS-SSL, JNCIA-EX and Acme Packet

Certified Instructor

About the authors

About meJörg lives in the Netherlands near Amsterdam and brings more than 10 years

of experience in the IT and networking industry. He has worked for several

large ISPs / service providers in the role of technical consultant,designer and

network architect.He has extensiveexperience in network implementation,

design and architecture and teached several networking classes.

CertificationsQuadruple JNCIE certified

(JNCIE-DC#007,JNCIE-ENT#21,JNCIE-SP#284 and JNCIE-SEC#30)

Triple CCIE #15032

(Routing/Switching, Service provider and Security),

Cisco CCDE#20110002 certified,

Huawei HCIE#2188 Routing and Switching.

Page 4: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

About meRichard Pracko comes from the heart of the Europe, from a small but beau-

tiful country Slovakia. Right after finishing his studies at the university with

telecommunications as a major, he joined the Siemens Networking depart-

ment, and focused on the integration of Juniper Networks and Siemens

products. There, he gathered a lot of experience and skills in the networking

area by taking an active part to numerous projects, and this , all over the

world. It was during that time that his teaching career started. In the begin-

ning of 2009, he left Siemens on his own initiative, and became a full time

instructor and technical consultant, over a vast geographic area (EMEA and

more).

Richard is an energetic young man, with interests ranging across numerous

sport disciplines like tennis, soccer, skiing and others. Richard speaks En-

glish, German, Czech and Slovak. Richard holds the following certifications:

JNCIS-FWV, JNCIP-SEC, JNCIS-ENT, JNCIA-EX.

Page 5: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Rack rental serviceDid you know that this workbook can be used in combination with our premium JNCIE rack rental service?

Take a look on our website for more information www.inetzero.com

Warning: Please do NOT change the root account password for any of our devices to prevent unnecessary password

recovery. Thank you for your cooperation

Target audience

This workbook is developed for experienced network engineers who are preparing for the Juniper Net-

works JNCIE-SEC lab exam. Although not required it is highly recommended that you have passed the

JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC

preparation workbook is developed in such a way that we expect you to have theoretical knowledge

about the JNCIE-SEC lab exam blueprint topics (JNCIP-SEC certified or working towards this certification).

For example, in this workbook we will not explain what route-based VPNs, UTM and NAT are. What we

will do is test if you are able to configure all these technologies based on certain requirements and under-

stand how they interact in a typical SEC environment.

How to use this workbook

We recommend that you start your JNCIE lab preparation with the workbook chapters only. Always take a

note on the time spent for each chapter/ task to see if you improved once you go over the chapters again.

Ensure that at least you go the workbook chapters twice before you start with the super lab. You are

ready to try the Super Lab if you are able to configure the chapters tasks without the need of the chap-

ters answers.

iNET ZERO support

Always feel free to ask us questions regarding the workbook or JNCIE rack rental. You can reach us at

[email protected]. We love to hear from you regarding your preparation progress. Your feedback regard-

ing our products is also very appreciated!

Page 6: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Table of Contents

Chapter one: General system features

Task 1: Initial configuration

Task 2: Authentication and authorization

Task 3: Syslog

Task 4: NTP

Task 5: SNMP

Chapter two: High availability

Task 1: Creating clusters – initial setup

Task 2: Configuring redundancy groups and redundant ethernet interfaces

Chapter three: Firewall - Security policies

Task 1: Configuring interfaces and security zones

Task 2: Local traffic and static routing

Task 3: Security policies

Chapter four: Unified Threat Management

Task 1: Web-filtering

Task 2: Antivirus

Task 3: Content filtering

Task 4: Antispam

Chapter five: IPSec VPNs

Task 1: Configuring Policy-based VPN

Task 2: Configuring Route-based VPN

Task 3: Configuring GRE-tunnel over Route-based VPN

Task 4: Configuring Dynamic VPN

Chapter six: NAT

Task 1: IPv4 Source NAT

Task 2: IPv4 Destination NAT

Task 3: IPv4 Static NAT

Task 4: NAT Protocol Translation (IPv6/IPv4)

Chapter seven: Attack Prevention and Mitigation

Task 1: Firewall Filters

Task 2: SCREEN

Task 3: Intrusion Prevention System

Chapter eight: Extended Implementation Concepts

Page 7: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Task 1: Transparent Mode

Task 2: Filter Based Forwarding

Chapter nine: AppSecure

Task 1: AppID

Task 2: AppTrack

Task 3: AppFW

Task 4: AppQoS

Task 5: SSL Proxy

Task 6: User identification

Super Lab 1

Task 1: Initial configuration part 1

Task 2: Initial configuration part 2

Task 3: Interfaces, zones, local traffic and static routing

Task 4: UTM

Task 5: NAT

Task 6: OSPF and IPSec VPN

Task 7: Attack prevention and mitigation

Task 8: AppSecure

Super lab 2

Task 1: Interfaces, System and High Availability

Task 2: Basic security

Task 3: BGP and IPSec VPN

Task 4: Network Address Translation

Task 5: Unified Threat Management

Task 6: Attack prevention

Appendix - Chapter one: General system features

Task 1: Initial configuration

Task 2: Authentication and authorization

Task 3: Syslog

Task 4: NTP

Task 5: SNMP

Appendix - Chapter two: High availability

Task 1: Creating clusters – initial setup

Task2: Configuring redundancy groups and redundant ethernet interfaces

Page 8: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Appendix - Chapter three: Firewall - Security policies

Task 1: Configuring interfaces and security zones

Task 2: Local traffic and static routing

Task 3: Security policies

Appendix - Chapter four: Unified Threat Management

Task 1: Web-filtering

Task 2: Antivirus

Task 3: Content filtering

Task 4: Antispam

Task 5: Testing

Chapter five: IPSec VPNs

Task 1: Configuring Policy-based VPN

Task 2: Configuring Route-based VPN

Task 3: Configuring GRE-tunnel over Route-based VPN

Task 4: Configuring Dynamic VPN

Task 5: Verification

Appendix - Chapter six: NAT

Task 1: Source NAT

Task 2: Destination NAT

Task 3: Static NAT

Task 4: NAT Protocol Translation (IPv6/IPv4)

Chapter seven: Attack Prevention and Mitigation

Task 1: Firewall Filters

Task 2: SCREEN

Task 3: Intrusion Prevention System

Task 4: Verification

Appendix - Chapter eight: Extended Implementation Concepts

Task 1: Transparent Mode

Task 2: Filter Based Forwarding

Task 3: Verification

Appendix - Chapter nine: AppSecure

Task 1: AppID

Task 2: AppTrack

Task 3: AppFW

Task 4: AppQoS

Task 5: SSL Proxy

Task 6: User identification

Page 9: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Chapter one: General system features

This chapter focuses on initial system configuration and general system features. You will configure vari-

ous features, such as hostnames, access to the management network, authentication and authorization,

ntp, snmp and syslog.

Topology for chapter one:

NOTE:Load the configs on the lab devices. Ensure that you do not forget to load the infrastructure configura-

tions for the switches (vr-device and the access switch).

TIP: Ensure you read this entire chapter, before starting with the first task.

Page 10: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Task 1: Initial configurationIn this part you will configure the device hostnames, the management network interface details including

definition of specific services allowed for accessing the device.

1) Configure the hostnames on the devices according the table below:

device Hostname

device1 srx1

device2 srx2

device3 srx3

device4 srx4

device5 srx5

device6 srx6

device7 srx7

device8 srx8

2) Based on the topology diagram configure the management and loopback interfaces on

each device with the IP address as listed in the table below:

Device Management IP address Loopback IP address

srx1 10.10.1.1/24 192.168.1.1/32

srx2 10.10.1.2/24 192.168.1.2/32

srx3 10.10.1.3/24 192.168.1.3/32

srx4 10.10.1.4/24 192.168.1.4/32

srx5 10.10.1.5/24 192.168.1.5/32

srx6 10.10.1.6/24 192.168.1.6/32

srx7 10.10.1.7/24 192.168.1.7/32

srx8 10.10.1.8/24 192.168.1.8/32

3) The management interface on each device needs to be used purely only for management

access and won’t accept any transit traffic. In addition this interface will accept only specific

services as defined in the table below:

Device Hostname

srx1 ssh with allowed root access, telnet, http, https

srx2 ssh with allowed root access, telnet, http, https

srx3 ssh with allowed root access, telnet, http, https

srx4 ssh with allowed root access, telnet, http, https

srx5 ssh with allowed root access, telnet, http, https

srx6 ssh with allowed root access, telnet, http, https

srx7 ssh with allowed root access, telnet, http, https

srx8 ssh with allowed root access, telnet, http, https

Ensure the listed services are enabled.

Page 11: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Chapter seven: Attack Prevention and Mitigation

This chapter is dedicated to the Attack Prevention and Mitigation functionality on Junos security devices.

The presented tasks will require you to configure stateless packet filtering, SCREEN functionality and

Intrusion Prevention System features set.

Topology for chapter seven:

You can continue with the configuration in case you have completed tasks from the chapter 3. Or you can

load the latest initial configurations for this chapter to the devices.

NOTE: In case you have loaded the initial configuration for the vr-device and the access-switch before you

don’t have to do it again.

NOTE: The labs starting point requires to have SRX clusters formed between devices srx3 – srx4 and srx5

– srx6 and the respective configuration loaded on them.

TIP: Ensure you read this entire chapter, before starting with the first task.

Enter this temporary vouchercode within 1 week to get

10% off your purchase! ( workbooks only ) G

o to:

www.bit.ly/2cfMeXF

H2993DJ

Automatically expire

s within one week of d

ownloading this demo workbook

Page 12: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Task 3: Intrusion Prevention SystemIn this part you will configure lab equipment as necessary to deploy Intrusion Prevention System features

in the Data Center and Central office.

Data Center: cluster1

There are several servers located in different zones in the Data Center network (see the table below).

Services that are not mentioned in this table or in the following configuration tasks must be restricted by

the security policies.

Security zone name Services

TRUST SMTP, POP3, IMAP

DMZ HTTP, SMTP, POP3, IMAP, FTP

WAREHOUSE HTTP

1) Configure cluster1 to use the TCP SYN cookie rather TCP SYN proxy mechanism.

2) Protect the Data Center resources with the predefined IDP policy “Recommended”. Ensure

that only specified services are monitored for traffic traversing between the Data Center

protected resources and Untrust zone.

3) Ensure that all the Data Center resources are protected against TCP/IP attacks and malware

activities from the Untrust zone as well as internal servers can’t cause infection or be the

source of attacks to any hosts located in the Untrust zone.

4) Allow anonymous access from Untrust zone to the ftp servers 172.16.150.1 and 172.16.150.2

only from the 80.10.1.128/29 range. Restrict access for the rest of the hosts located in the

Untrust zone. Silently drop packets from unauthorized hosts, block them for 1 hour and

generate log messages with severity level Major and alert flag.

5) Clients are instantly denied access to the following URLs:

a. www.playboy.com

b. www.hustler.com

The connection must be closed when such attempt is detected.

6) The downloading of pdf files via HTTP is prohibited for users located in the TRUST zone.

If such attempt has been detected the connection has to be closed.

Page 13: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Chapter eight: Extended Implementation Concepts

This chapter is focused on two features of JUNOS Security kit: Transparent mode and Filter Based For-

warding. The presented scenarios require you to reconfigure security devices srx1 and srx7 according to

picture below.

Topology for chapter eight:

You can continue with the configuration in case you have completed tasks from the chapter 7. Or you can

load the latest initial configurations for this chapter to the devices.

NOTE: The initial configurations of srx1 and srx7 are different from final step of chapter 7. You need to

download the initial configurations for these devices from our website(see link above) and load them on

the srx1 and srx7.

NOTE: In case you have loaded the initial configuration for the vr-device and access-switch before you

don’t have to do it again.

TIP: Ensure you read this entire chapter, before starting with the first task.

Content only available in the original workbook

Page 14: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Task 1: Transparent ModeIn this section you need to configure Home office’s security device in such that srx1 will make forwarding

decisions based on MAC address rather than on the base of IP header’s information.

1) Configure the interfaces, bridge domain and security zones on the srx1 according

to the table below, which reflects the topology image.

Rewrite vlan-id 81 with the vlan-id 80 on the trunk port ge-0/0/5.0.

Interface IP address Interface mode VLAN-ID Zone

ge-0/0/4.0 N/a Access 80 TRUST

ge-0/0/5.0 N/a Trunk 81 DMZ

ge-0/0/3.0 N/a Access 80 UNTRUST

irb.0 80.10.8.5/24 80 N/a

2) Configure static default route pointing to the IP address 80.10.8.254.

3) The hosts from the TRUST zone and its network range can go to the

outside network (internet) with http and https.

Page 15: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

Appendix Chapter five: IPSec VPNs

The purpose of this appendix is to guide you through the milestones of Chapter 5. You will find here con-

figuration excerpts, tips and recommendations for successful completion of IPSec VPN tasks.

Task 1: Configuring Policy-based VPN

Task 1 Topology.

Page 16: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

In this part you will configure lab equipment as necessary to build Policy-based VPN between Data Center,

Home Office and Finance department.

1) Configure the IPSec VPN on every device according to the table below, which

reflects the topology image.

Local Peer Interface Security zone Remote Peer Interface Security zone

srx7 ge-0/0/4.60 Untrust Cluster1 reth0.0 Untrust

srx8 ge-0/0/3.0 Untrust Cluster1 reth0.0 Untrust

NOTE: Chapter 3 states the loopback association to security zones is free unless explicitly defined by a

task. In case the loopback interfaces should be used as IPsec VPN termination points keep in mind they

have to be associated with the same zone as the physical external interfaces (KB22129 ). I.e. the KB22129

describes that the VPN setup where the loopback and physical external interface are located in different

security zones is not supported.

At this step it would be a good idea to verify that operational configuration is available in security devices.

The commands below can be used for that verification:

lab@srx8>show interface ge-0/0/3.0 terse

Ensure that the IKE traffic destined to the ge-0/0/3.0 interface is accepted by security zone settings.

lab@srx8>show security zone security-zone Untrust

Ensure that security policy allows intrazone traffic for Untrust security zone.

lab@srx8>show security policy from-zone Untrust to-zone Untrust

2) Central Office srx5/srx6 cluster provides only dynamical NAT-src service.

Use “load merge relative” command to insert interface-based NAT configuration into the

cluster2. Configuration file is already copied to user’s directory and has a name “int-based-nat-

cluster2-c5t1”.

Page 17: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

[edit security nat]

source {

rule-set int-nat {

from zone INTERNAL;

to zone UNTRUST;

rule for-finance-dep {

match {

source-address 172.16.60.0/24;

}

then {

source-nat interface;

}

}

}

}

3) VPN between srx8 and Cluster1 must meet the following requirements:

Configuration for the steps a) and b) below can be done from the [edit security ike] level of CLI

hierarchy. There are three configuration elements that need to be defined there: Phase1 IKE

proposal, Phase1 IKE policy and Phase1 IKE gateway.

a. Validate peer reachability with DPD option. The keepalives should be sent to the

neighboring peer regardless of traffic patterns every 10 seconds. Consider peer

unreachable if the number of DPD retransmissions exceeds 5 packets.

b. IKE phase 1 proposal must include: preshared key “juniper”, DES, DH G1, MD5.

Rekey Phase1 every 24 hours.

[edit security ike proposal ike-proposal]

authentication-method pre-shared-keys;

dh-group group1;

authentication-algorithm md5;

encryption-algorithm des-cbc;

lifetime-seconds 86400;

NOTE: The proposal must be the same for both peers that are participating in Phase1 establishment. The

mistake at this configuration step will lead to the failure of Phase1 establishment with the possible cause

code “No proposal chosen” in the kmd log on the responder’s side.

Page 18: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

The preshared key’s value together with the tunnel’s mode is defined in the Phase1 IKE Policy. The previ-

ously defined Phase1 proposal also referenced in the Phase1 policy:

[edit security ike policy ike-policy]

mode main;

proposals ike-proposal;

pre-shared-key ascii-text “$9$/Xo/Au17-wRh-wYgUD9Ap”; ## SECRET-DATA

NOTE: The other possible issue during Phase1 configuration is a mismatch of preshared key’s value. The

mistake at this configuration step will lead to the failure of Phase1 establishment with the possible cause

code “Invalid payload type” in the kmd log on the responder’s side.

Final step of Phase1 configuration is a gateway definition.

[edit security ike gateway ike-gateway]

ike-policy ike-policy;

address 192.168.2.1;

dead-peer-detection {

always-send;

interval 10;

threshold 5;

}

external-interface ge-0/0/3.0;

NOTE: One more possible issue during Phase1 configuration is a mismatch of peers’ logical interfaces that

are specified with the “address“ and “external-interface” keywords. The mistake at this configuration step

will lead to the failure of Phase1 establishment with the possible cause code “Remote peer is not recog-

nized” in the kmd log on the responder’s side.

DEMO END

Page 19: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

This workbook was developed by iNET ZERO.

All rights reserved. No part of this publication may be reproduced or distributed in any form or

by any means without the prior written permission of iNET ZERO a registered company in the

Netherlands. This product cannot be used by or transferred to any other person.

You are not allowed to rent, lease, loan or sell iNET ZERO training products including this

workbook and its configurations. You are not allowed to modify, copy, upload, email or

distribute this workbook in any way. This product may only be used and printed for your

own personal use and may not be used in any commercial way. Juniper (c), Juniper Networks

inc, JNCIE, JNCIP, JNCIS, JNCIA, Juniper Networks Certified Internet Expert, are registered

trademarks of Juniper Networks, Inc.

Page 20: JNCIE-SEC v1.3 workbook (2017) · 2017. 4. 5. · JNCIS-SEC and JNCIP-SEC written exams before you start using this workbook. iNET ZERO’s JNCIE-SEC preparation workbook is developed

This original workbook helped over more than 340+ people achieve the expert certification

Unfortunately you have reached the end of this demo workbook.

Enter this temporary vouchercode within 1 week to get

10% off your purchase! ( workbooks only ) Go to:

www.bit.ly/2cfMeXF

H2993DJAutomatically expires within one week of downloading this demo workbook